[PATCH] Make update_keysig_packet honour cert-digest-algo

Werner Koch wk at gnupg.org
Wed May 13 14:53:40 CEST 2009

On Tue, 12 May 2009 22:05, dkg at fifthhorseman.net said:

> do the Right Thing proactively, well before the "weaponized" attacks are
> created.  The tools we release this year will likely still be in use 5
> years from now, in a different cryptographic landscape, on behalf of
> those same users who don't understand the issues.

We should get things back to reality.  

First of all there is no attack on SHA-1.  Maybe it will be possible to
mount a collision attack in a couple of years.  Maybe it will then be
possible to attack the web of trust or do any other collision based
evil.  These are and will be targeted attacks on certain
infrastructures.  Folks responsible for these infrastructures need to
care about it and put possible collision attacks on their list of
attack scenarios.

This is nothing the average user needs to care about.  We don't need to
prioritize pro-active changes of active keys either.  If real harm will
be possible everyone who cares about security just creates a vanilla new
key and is done.  A key replacement strategy needs to be in place
anyway.  Those who don't like that should have the knowledge how to
modify their own keys.

Things to keep in mind:

 - The web-of-trust is an ad-doc structure and its security margin is
   for sure far far less then 2^52.  Attacking the WoT is far easier
   than mounting an collision attack on SHA-1.  Even without doing
   rubber hose cryptanalysis.

 - There are tools implementing the security (e.g. gpg).  Assuming that
   these tools are bug free or at least that these bugs are harder to
   find and exploit than to mount a real world SHA-1 collision attack,
   is plainly wrong.  Those who believe that should do a reality check.

 - There are other application on the box running the tools: Are they
   secure enough?  I doubt that.

 - There is an operating system involved.  Is it really secure enough?
   I doubt that too.

 - I guess that at least 99 percent of all users are not able to keep
   their environment hardened against simple attacks.

Why should we then harden the existing keys automagically and risking
interoperability problems which will in turn lead to decreased security.

Again: Those who rely on nearly perfect security know about the problems
and can develop ways to mitigate that.



Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.

More information about the Gnupg-devel mailing list